Blog CVE-2024-4947: v8 incorrect AccessInfo for module namespace object causes Maglev type confusion, we have a oob read/write inside of sandbox.
buptsb.github.io/blog/post/CVE-…
By @mistymntncop and me
PoC and writeup about CVE-2024-5830: incorrect handing of deprecated map in [[CreateDataProperty]] from Man Yue Mo.
This vuln is not that complicated and i guess it's all about exploit techniques.
buptsb.github.io/blog/post/CVE-…
By me and jj @mistymntncop
CVE-2024-4761: ITW v8 type confusion of WasmObjects causes oob read/writes inside of sandbox PoC, from @mistymntncop
It's a shock for me that we could oob just through writing zeros...🤪
CVE-2024-2887 WebAssembly type confusion PoC docs.google.com/document/d/e/2…
Missed out on the v8ctf bounty again because I have absolutely no idea how to achieve v8 sbx escape...🥹
My writeup about CVE-2024-2625, non-allowed main thread handle deref during off-thread parsing in v8
"Since the bug reporter shared this bug into Google just before Pwn2Own2024, I think this bug is not exploitable." 🤣
CVE-2024-4761: ITW v8 type confusion of WasmObjects causes oob read/writes inside of sandbox PoC, from @mistymntncop
It's a shock for me that we could oob just through writing zeros...🤪
gist.github.com/mistymntncop/2…
PoC of v8 CVE-2024-3159: enumcache oob v2.0
docs.google.com/document/d/1ke…
It's related to CVE-2023-4427.
As a security researcher who has long been aware of the potential bugs in MapUpdater and enumcache, I should reflect on my careless code review and outdated workflow.
A quick note about CVE-2024-3832: Object corruption on wasm functions installation. docs.google.com/document/d/e/2…
Status: no PoC, hole heak / object corruption
In this post I'll use CVE-2023-4069, a type confusion bug in the Maglev JIT compiler of Chrome that I reported in July, to gain RCE in the Chrome renderer sandbox: github.blog/2023-10-17-get…
